Howdy Symfony Users,
I will describe a problem, followed by a solution, followed by a
question. Please bear with me...
This post relates to a problem regarding the rememberme cookie in
sfGuard. Basically, you could only have one cookie per user, and that
cookie was indexed on IP address at the time the cookie was created.
This works if the IP address changes, but it does NOT work if you
intend to be able to log in across multiple browsers. The latter is a
requirement for any site that you would want to access from your
iPhone and from your desktop interchangeably and is the de facto
standard on the internet. (You are not signed out of Google Mail on
the iPhone if you sign in from the desktop.)
I implemented a browser-based cookie and then extracted the signIn
method from sfGuardSecurityUser into myUser. I replace the IP Address
field with the value of the browser cookie, and I change the code from
deleting all of the users old cookies when setting a new cookie to
only deleting the cookie associated with that browser. Probably easier
to understand just to look at the code, which I will paste in at the
end of this email. I do not bother changing the core implementation of
sfGuardPlugin, so the sf_guard_remember_me table still has an
ip_address column, etc, etc.
So my question: this seems like both a non-optimal solution (will need
to update this every time sfGuardSecurityUser::signIn changes), and
also, this seems like more-optimal behavior than the default. My
question is, does this belong in sfGuardPlugin natively? If so, should
I or how should I contribute it to to the plugin? Or is this the
"right" way to do it?
Thanks!
Craig
public function signIn($user, $remember = false, $con = null)
{
...[snip]...
// remember?
if ($remember)
{
// Using Browser Cookie to replace IP_ADDRESS as primary key
indicator for sf_guard_remember_me table
// Browser cookie expiration set to today + 10 years.
$browser_cookie_name =
sfConfig::get('app_sf_guard_plugin_browser_cookie_name', 'hybr');
if (!($browser_cookie = sfContext::getInstance()->getRequest()-
>getCookie($browser_cookie_name))) {
$browser_cookie = $this->generateRandomKey();
sfContext::getInstance()->getResponse()-
>setCookie($browser_cookie_name, $browser_cookie, time() +
60*60*24*365*10);
}
// remove old keys
$c = new Criteria();
$expiration_age =
sfConfig::get('app_sf_guard_plugin_remember_key_expiration_age', 15 *
24 * 3600);
$c->add(sfGuardRememberKeyPeer::CREATED_AT, time() -
$expiration_age, Criteria::LESS_THAN);
sfGuardRememberKeyPeer::doDelete($c, $con);
// remove other keys from this user
$c = new Criteria();
$c->add(sfGuardRememberKeyPeer::USER_ID, $user->getId());
$c->add(sfGuardRememberKeyPeer::IP_ADDRESS, $browser_cookie); //
NEW LINE
sfGuardRememberKeyPeer::doDelete($c, $con);
// generate new keys
$key = $this->generateRandomKey();
// save key
$rk = new sfGuardRememberKey();
$rk->setRememberKey($key);
$rk->setSfGuardUser($user);
$rk->setIpAddress($browser_cookie /*
$_SERVER['REMOTE_ADDR']*/); // CHANGED LINE
$rk->save($con);
// make key as a cookie
$remember_cookie =
sfConfig::get('app_sf_guard_plugin_remember_cookie_name',
'sfRemember');
sfContext::getInstance()->getResponse()-
>setCookie($remember_cookie, $key, time() + $expiration_age);
}
}
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
